Isn’t Linux/Chapro.A only Darkleech Apache Module ?

ESET anti-virus editor has post a blog post the 18th December regarding a “new” malicious Apache module how inject malicious content into web pages served up by compromised servers. The malware, named Linux/Chapro.A by ESET, is using a XOR loop obfuscation and other techniques in order to evade detection by system administrators. ESET also reported that the malware was actively used by Exploit Kits, and precisely by Sweet Orange. Some screenshots were provided by ESET, but no samples.

I was interested by this new malware, cause few weeks ago another malicious Web server module was found, but this time targeting nginx in proxy mode, but with the same purposes.

Based on the few information’s provided by ESET I began my investigation in order to find samples and have more details on the malware.

I saw here too much similarities between the malicious Apache module discovered by Unmask Parasites and ESET Linux/Chapro.A.

Hopefully Unmask Parasites has provide more details (some strings) of the malicious Apache module in his blog post, in order to continue my investigations. The malicious Apache module was linked to Darkleech module by the author of this module on Russian underground forums.